Andrew Bogott has submitted this change and it was merged.
Change subject: Clean up sysctl parameters.
......................................................................
Clean up sysctl parameters.
This patch reorganizes the sysctlfile module and sysctl resource into a
reworked sysctl module and configures Puppet to manage /etc/sysctl.d
recursively. This means Puppet _will_ purge defaults installed into
/etc/sysctl.d by default. However, the defaults installed by Ubuntu Precise
have been expressed as Sysctl::Parameters['ubuntu precise defaults'] in class
base::sysctl.
Change-Id: Ib294b691dad8500c2e0cd39896882f8cf4f3a286
---
M manifests/base.pp
M manifests/generic-definitions.pp
M manifests/lvs.pp
M manifests/misc/download.pp
M manifests/misc/udp2log.pp
M manifests/openstack.pp
M manifests/role/ceph.pp
M manifests/role/ipv6relay.pp
M manifests/role/memcached.pp
M manifests/role/mirror.pp
M manifests/role/protoproxy.pp
M manifests/site.pp
M manifests/squid.pp
M manifests/swift.pp
M manifests/webserver.pp
A modules/sysctl/files/sysctl.d-empty/README
A modules/sysctl/manifests/conffile.pp
A modules/sysctl/manifests/init.pp
A modules/sysctl/manifests/parameters.pp
A modules/sysctl/templates/sysctl.conf.erb
D modules/sysctlfile/files/50-advanced-routing-ipv6.conf
D modules/sysctlfile/files/50-advanced-routing.conf
D modules/sysctlfile/files/50-ipv6-disable-ra.conf
D modules/sysctlfile/files/50-lvs.conf
D modules/sysctlfile/files/50-wikimedia-base.conf
D modules/sysctlfile/files/60-high-bandwidth-rsync.conf
D modules/sysctlfile/files/60-high-http-performance.conf
D modules/sysctlfile/files/99-big-rmem.conf
D modules/sysctlfile/manifests/advanced-routing-ipv6.pp
D modules/sysctlfile/manifests/advanced-routing.pp
D modules/sysctlfile/manifests/high-bandwidth-rsync.pp
D modules/sysctlfile/manifests/high-http-performance.pp
D modules/sysctlfile/manifests/ipv6-disable-ra.pp
D modules/sysctlfile/manifests/lvs.pp
M modules/toollabs/manifests/exec_environ.pp
M modules/varnish/manifests/common.pp
36 files changed, 265 insertions(+), 248 deletions(-)
Approvals:
Andrew Bogott: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/base.pp b/manifests/base.pp
index fa55bfe..6f8ae17 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -306,32 +306,58 @@
}
class base::sysctl {
- if ($::lsbdistid == "Ubuntu") and ($::lsbdistrelease != "8.04") {
- exec { "/sbin/start procps":
- path => "/bin:/sbin:/usr/bin:/usr/sbin",
- refreshonly => true;
- }
+ # Defaults sysctl parameters for Ubuntu Precise
+ # We set them ourselves so we can purge /etc/sysctl.d.
+ sysctl::parameters { 'ubuntu precise defaults':
+ values => {
+ # 10-console-messages.conf
+ 'kernel.printk' => [ 4, 4, 1, 7 ],
- # FIXME: *never* source a file from a module
- sysctlfile { 'wikimedia-base':
- source =>
'puppet:///modules/sysctlfile/50-wikimedia-base.conf',
- number_prefix => '50',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
+ # 10-kernel-hardening.conf
+ 'kernel.kptr_restrict' => 1,
- # Disable IPv6 privacy extensions, we rather not see our
servers hide
- file { "/etc/sysctl.d/10-ipv6-privacy.conf":
- ensure => absent
- }
- } else {
- # FIXME: this is a super ugly hack but the sysctlfile module is
broken,
- # relying on a definition to be defined in base.pp to actually work
- exec { "/sbin/start procps":
- command => '/bin/true',
- refreshonly => true,
- }
- }
+ # 10-network-security.conf
+ 'net.ipv4.conf.default.rp_filter' => 1,
+ 'net.ipv4.conf.all.rp_filter' => 1,
+ 'net.ipv4.tcp_syncookies' => 1,
+
+ # 10-ptrace.conf
+ 'kernel.yama.ptrace_scope' => 1,
+
+ # 10-zeropage.conf
+ 'vm.mmap_min_addr' => 65536,
+
+ # We don't want 10-ipv6-privacy.conf, so skip it.
+ },
+ }
+
+ sysctl::parameters { 'wikimedia base':
+ values => {
+ # Increase TCP max buffer size
+ 'net.core.rmem_max' => 16777216,
+ 'net.core.wmem_max' => 16777216,
+
+ # Increase Linux auto-tuning TCP buffer limits
+ # Values represent min, default, & max num. of bytes to use.
+ 'net.ipv4.tcp_rmem' => [ 4096, 87380, 16777216 ],
+ 'net.ipv4.tcp_wmem' => [ 4096, 65536, 16777216 ],
+
+ # Don't cache ssthresh from previous connection
+ 'net.ipv4.tcp_no_metrics_save' => 1,
+ 'net.core.netdev_max_backlog' => 2500,
+
+ # Increase the queue size of new TCP connections
+ 'net.core.somaxconn' => 1024,
+ 'net.ipv4.tcp_max_syn_backlog' => 4096,
+
+ # Swapping makes things too slow and should be done rarely
+ # 0 = only swap in OOM conditions (it does NOT disable swap.)
+ 'vm.swappiness' => 0,
+ 'net.ipv4.tcp_keepalive_time' => 300,
+ 'net.ipv4.tcp_keepalive_intvl' => 1,
+ 'net.ipv4.tcp_keepalive_probes' => 2,
+ },
+ }
}
class base::standard-packages {
diff --git a/manifests/generic-definitions.pp b/manifests/generic-definitions.pp
index 8973d58..f750469 100644
--- a/manifests/generic-definitions.pp
+++ b/manifests/generic-definitions.pp
@@ -478,3 +478,16 @@
}
}
}
+
+
+class generic::higher_min_free_kbytes {
+ # Set a high min_free_kbytes watermark.
+ # See https://wikitech.wikimedia.org/wiki/Dataset1001#Feb_8_2012
+ # FIXME: Is this setting appropriate to the nodes on which it is
applied? Is
+ # the value optimal? Investigate.
+ sysctl::parameters { 'higher_min_free_kbytes':
+ values => {
+ 'vm.min_free_kbytes' => 1024 * 256,
+ },
+ }
+}
diff --git a/manifests/lvs.pp b/manifests/lvs.pp
index 4ee3722..9ba9b84 100644
--- a/manifests/lvs.pp
+++ b/manifests/lvs.pp
@@ -842,9 +842,22 @@
# Bind balancer IPs to the loopback interface
class { "lvs::realserver": realserver_ips => $service_ips }
- # Sysctl settings
- class { "sysctlfile::advanced-routing": ensure => absent }
- include sysctlfile::lvs
+ sysctl::parameters { 'lvs':
+ values => {
+ # Turn OFF RP filter
+ 'net.ipv4.conf.default.rp_filter' => 0,
+ 'net.ipv4.conf.all.rp_filter' => 0,
+
+ # Turn off IP forwarding for security
+ # LVS servers sit on all subnets
+ 'net.ipv4.ip_forward' => 0,
+
+ # Disable the route cache
+ # It is prone to DDoS attacks, and was even
+ # removed in >= 3.6 kernels.
+ 'net.ipv4.rt_cache_rebuild_count' => -1,
+ },
+ }
}
# Supporting the PyBal RunCommand monitor
diff --git a/manifests/misc/download.pp b/manifests/misc/download.pp
index 2a6b1b7..87c490e 100644
--- a/manifests/misc/download.pp
+++ b/manifests/misc/download.pp
@@ -55,7 +55,7 @@
require => [ Package[nfs-kernel-server], File["/etc/exports"] ],
}
- include sysctlfile::high-bandwidth-rsync
+ include generic::higher_min_free_kbytes
monitor_service { "lighttpd http": description => "Lighttpd HTTP",
check_command => "check_http" }
monitor_service { "nfs": description => "NFS", check_command =>
"check_tcp!2049" }
diff --git a/manifests/misc/udp2log.pp b/manifests/misc/udp2log.pp
index bf2f7cf..4cf727d 100644
--- a/manifests/misc/udp2log.pp
+++ b/manifests/misc/udp2log.pp
@@ -11,8 +11,14 @@
include
contacts::udp2log,
- misc::udp2log::udp_filter,
- misc::udp2log::sysctl
+ misc::udp2log::udp_filter
+
+ sysctl::parameters { 'big rmem':
+ values => {
+ 'net.core.rmem_max' => 536870912,
+ 'net.core.rmem_default' => 4194304,
+ },
+ }
# include the monitoring scripts
# required for monitoring udp2log instances
@@ -37,20 +43,6 @@
ensure => present;
}
}
-
-class misc::udp2log::sysctl($ensure="present") {
- # make sure base::sysctl is here so that
- # start procps can be notified.
- include base::sysctl
-
- sysctlfile { 'big-rmem':
- source => 'puppet:///modules/sysctlfile/99-big-rmem.conf',
- number_prefix => '99',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
-
# Class: misc::udp2log::rsyncd
#
diff --git a/manifests/openstack.pp b/manifests/openstack.pp
index bff3817..124a9a1 100644
--- a/manifests/openstack.pp
+++ b/manifests/openstack.pp
@@ -590,9 +590,20 @@
require => Package["dnsmasq"];
}
- # Enable IP forwarding
- include sysctlfile::advanced-routing,
- sysctlfile::ipv6-disable-ra
+ sysctl::parameters { 'openstack':
+ values => {
+ # Turn off IP filter
+ 'net.ipv4.conf.default.rp_filter' => 0,
+ 'net.ipv4.conf.all.rp_filter' => 0,
+
+ # Enable IP forwarding
+ 'net.ipv4.ip_forward' => 1,
+ 'net.ipv6.conf.all.forwarding' => 1,
+
+ # Disable RA
+ 'net.ipv6.conf.all.accept_ra' => 0,
+ },
+ }
}
class openstack::api-service($openstack_version="folsom", $novaconfig) {
diff --git a/manifests/role/ceph.pp b/manifests/role/ceph.pp
index caa5f62..fe2174d 100644
--- a/manifests/role/ceph.pp
+++ b/manifests/role/ceph.pp
@@ -74,11 +74,14 @@
include ceph::osd
# I/O busy systems, tune a few knobs to avoid page alloc failures
- sysctlfile { 'vm.min_free_kbytes':
- value => '512000',
- }
- sysctlfile { 'vm.vfs_cache_pressure':
- value => '120',
+ sysctl::parameters { 'ceph':
+ values => {
+ # Start freeing unused pages of memory sooner
+ 'vm.min_free_kbytes' => 512000,
+
+ # Prefer to reclaim dentries and inodes
+ 'vm.vfs_cache_pressure' => 120,
+ },
}
}
@@ -89,7 +92,26 @@
class { "lvs::realserver": realserver_ips => [ "10.2.2.27" ] }
- include sysctlfile::high-http-performance
+ sysctl::parameters { 'radosgw':
+ values => {
+ # Increase the number of ephemeral ports
+ 'net.ipv4.ip_local_port_range' => [ 1024, 65535 ],
+
+ # Recommended to increase this for 1000 BT or higher
+ 'net.core.netdev_max_backlog' => 30000,
+
+ # Increase the queue size of new TCP connections
+ 'net.core.somaxconn' => 4096,
+ 'net.ipv4.tcp_max_syn_backlog' => 262144,
+ 'net.ipv4.tcp_max_tw_buckets' => 360000,
+
+ # Decrease FD usage
+ 'net.ipv4.tcp_fin_timeout' => 3,
+ 'net.ipv4.tcp_max_orphans' => 262144,
+ 'net.ipv4.tcp_synack_retries' => 2,
+ 'net.ipv4.tcp_syn_retries' => 2,
+ },
+ }
class { 'ceph::radosgw':
servername => 'ms-fe.eqiad.wmnet',
diff --git a/manifests/role/ipv6relay.pp b/manifests/role/ipv6relay.pp
index f55604b..80fd304 100644
--- a/manifests/role/ipv6relay.pp
+++ b/manifests/role/ipv6relay.pp
@@ -6,7 +6,19 @@
class role::ipv6relay {
system_role { 'role::ipv6relay': description => 'IPv6 tunnel relay
(6to4/Teredo)' }
- include sysctlfile::advanced-routing-ipv6
+ # Enable router advertisements even when forwarding is enabled
+ # ("all" doesn't work with accept_ra, add eth0 here as a hack)
+ # Turn on ip forwarding
+ sysctl::parameters { 'ipv6 routing':
+ values => {
+ 'net.ipv4.conf.all.forwarding' => 1,
+ 'net.ipv4.conf.default.forwarding' => 1,
+ 'net.ipv6.conf.all.forwarding' => 1,
+ 'net.ipv6.conf.default.accept_ra' => 2,
+ 'net.ipv6.conf.default.forwarding' => 1,
+ 'net.ipv6.conf.eth0.accept_ra' => 2,
+ },
+ }
# Teredo
include misc::miredo
diff --git a/manifests/role/memcached.pp b/manifests/role/memcached.pp
index e588349..1e1314f 100644
--- a/manifests/role/memcached.pp
+++ b/manifests/role/memcached.pp
@@ -10,7 +10,7 @@
system_role { "role::memcached": description => "memcached server" }
include standard,
- sysctlfile::high-http-performance
+ webserver::base
class { "::memcached":
memcached_size => '89088',
diff --git a/manifests/role/mirror.pp b/manifests/role/mirror.pp
index 57e4e63..94542c0 100644
--- a/manifests/role/mirror.pp
+++ b/manifests/role/mirror.pp
@@ -9,7 +9,7 @@
ensure => latest;
}
- include sysctlfile::high-bandwidth-rsync
+ include generic::higher_min_free_kbytes
}
class role::mirror::media {
diff --git a/manifests/role/protoproxy.pp b/manifests/role/protoproxy.pp
index 3dc5dc7..c88b879 100644
--- a/manifests/role/protoproxy.pp
+++ b/manifests/role/protoproxy.pp
@@ -20,7 +20,7 @@
include protoproxy::package
# Tune kernel settings
- include sysctlfile::high-http-performance
+ include webserver::base
$nginx_worker_connections = '32768'
$nginx_use_ssl = true
diff --git a/manifests/site.pp b/manifests/site.pp
index fadd098..c437c19 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -794,7 +794,7 @@
# base_analytics_logging_node is defined in role/logging.pp
node "emery.wikimedia.org" inherits "base_analytics_logging_node" {
include
- sysctlfile::high-bandwidth-rsync,
+ generic::higher_min_free_kbytes,
admins::mortals,
accounts::milimetric, # RT 4312
accounts::tnegrin # RT 5391
diff --git a/manifests/squid.pp b/manifests/squid.pp
index bd05398..b5abcff 100644
--- a/manifests/squid.pp
+++ b/manifests/squid.pp
@@ -110,7 +110,7 @@
include aufs
# Tune kernel settings
- include sysctlfile::high-http-performance
+ include webserver::base
}
class squid::redirector {
diff --git a/manifests/swift.pp b/manifests/swift.pp
index c71f60b..340ece2 100644
--- a/manifests/swift.pp
+++ b/manifests/swift.pp
@@ -7,7 +7,7 @@
# include tcp settings
include swift::sysctl::tcp-improvements
- include sysctlfile::high-http-performance
+ include webserver::base
# this is on purpose not a >=. the cloud archive only exists for
# precise right now, and will perhaps exist for the next LTS, but
diff --git a/manifests/webserver.pp b/manifests/webserver.pp
index e74fa83..392a520 100644
--- a/manifests/webserver.pp
+++ b/manifests/webserver.pp
@@ -3,9 +3,33 @@
# Specific services (racktables, etherpad) do not
+class webserver::base {
+ # Sysctl settings for high-load HTTP caches
+ sysctl::parameters { 'high http performance':
+ values => {
+ # Increase the number of ephemeral ports
+ 'net.ipv4.ip_local_port_range' => [ 1024, 65535 ],
+
+ # Recommended to increase this for 1000 BT or higher
+ 'net.core.netdev_max_backlog' => 30000,
+
+ # Increase the queue size of new TCP connections
+ 'net.core.somaxconn' => 4096,
+ 'net.ipv4.tcp_max_syn_backlog' => 262144,
+ 'net.ipv4.tcp_max_tw_buckets' => 360000,
+
+ # Decrease FD usage
+ 'net.ipv4.tcp_fin_timeout' => 3,
+ 'net.ipv4.tcp_max_orphans' => 262144,
+ 'net.ipv4.tcp_synack_retries' => 2,
+ 'net.ipv4.tcp_syn_retries' => 2,
+ },
+ }
+}
+
# Installs a generic, static web server (lighttpd) with default config, which
serves /var/www
class webserver::static {
- include sysctlfile::high-http-performance,
+ include webserver::base,
firewall
package { lighttpd:
@@ -34,7 +58,7 @@
class webserver::php5( $ssl = 'false' ) {
- include sysctlfile::high-http-performance
+ include webserver::base
package { [ "apache2-mpm-prefork", "libapache2-mod-php5" ]:
ensure => present;
@@ -60,7 +84,7 @@
class webserver::modproxy {
- include sysctlfile::high-http-performance
+ include webserver::base
package { libapache2-mod-proxy-html:
ensure => present;
@@ -71,7 +95,7 @@
# include mysql and apache via dependencies.
class webserver::php5-mysql {
- include sysctlfile::high-http-performance
+ include webserver::base
package { php5-mysql:
ensure => present;
@@ -80,7 +104,7 @@
class webserver::php5-gd {
- include sysctlfile::high-http-performance
+ include webserver::base
package { "php5-gd":
ensure => present;
@@ -90,7 +114,7 @@
# Install the 'apache2' package
class webserver::apache2 {
- include sysctlfile::high-http-performance
+ include webserver::base
package { apache2:
ensure => present;
@@ -326,5 +350,5 @@
include packages,
config,
service,
- sysctlfile::high-http-performance
+ webserver::base
}
diff --git a/modules/sysctl/files/sysctl.d-empty/README
b/modules/sysctl/files/sysctl.d-empty/README
new file mode 100644
index 0000000..4521ab8
--- /dev/null
+++ b/modules/sysctl/files/sysctl.d-empty/README
@@ -0,0 +1,2 @@
+This directory is managed by Puppet.
+PUPPET WILL DELETE UNMANAGED FILES IN THIS DIRECTORY WITHOUT WARNING.
diff --git a/modules/sysctl/manifests/conffile.pp
b/modules/sysctl/manifests/conffile.pp
new file mode 100644
index 0000000..11e2581
--- /dev/null
+++ b/modules/sysctl/manifests/conffile.pp
@@ -0,0 +1,21 @@
+# == Define: sysctl::conffile
+#
+# Represents a file with sysctl kernel parameters in /etc/sysctl.d.
+#
+define sysctl::conffile(
+ $ensure = present,
+ $file = $title,
+ $content = undef,
+ $source = undef,
+ $priority = '10',
+) {
+ include sysctl
+
+ $basename = regsubst($file, '\W', '-', 'G')
+ file { "/etc/sysctl.d/${priority}-${basename}.conf":
+ ensure => $ensure,
+ content => $content,
+ source => $source,
+ notify => Service['procps'],
+ }
+}
diff --git a/modules/sysctl/manifests/init.pp b/modules/sysctl/manifests/init.pp
new file mode 100644
index 0000000..12611aa
--- /dev/null
+++ b/modules/sysctl/manifests/init.pp
@@ -0,0 +1,30 @@
+# == Class: sysctl
+#
+# This Puppet module provides 'sysctl::conffile' and 'sysctl::parameters'
+# resources which manages kernel parameters using /etc/sysctl.d files
+# and the procps service.
+#
+class sysctl {
+ file { '/etc/sysctl.d':
+ ensure => directory,
+ recurse => true,
+ purge => true,
+ force => true,
+ source => 'puppet:///modules/sysctl/sysctl.d-empty',
+ }
+
+ # The 'propcs' Upstart job is available in Ubuntu 10.04 Lucid and up.
+ # The dummy service below is a hack to prevent Puppet failures on Hardy.
+ # FIXME: Remove dummy service when the last Hardy box is retired.
+ if versioncmp($::lsbdistrelease, '10') > 0 {
+ service { 'procps':
+ provider => upstart,
+ }
+ } else {
+ service { 'procps':
+ provider => base,
+ start => '/bin/true',
+ stop => '/bin/true',
+ }
+ }
+}
diff --git a/modules/sysctl/manifests/parameters.pp
b/modules/sysctl/manifests/parameters.pp
new file mode 100644
index 0000000..8142ae9
--- /dev/null
+++ b/modules/sysctl/manifests/parameters.pp
@@ -0,0 +1,17 @@
+# == Define: sysctl::parameters
+#
+# This custom resource lets you specify sysctl parameters using a Puppet
+# hash, set as the 'values' parameter.
+#
+define sysctl::parameters(
+ $values,
+ $ensure = present,
+ $file = $title,
+ $priority = '10',
+) {
+ sysctl::conffile { $file:
+ ensure => $ensure,
+ content => template('sysctl/sysctl.conf.erb'),
+ priority => $priority,
+ }
+}
diff --git a/modules/sysctl/templates/sysctl.conf.erb
b/modules/sysctl/templates/sysctl.conf.erb
new file mode 100644
index 0000000..177344c
--- /dev/null
+++ b/modules/sysctl/templates/sysctl.conf.erb
@@ -0,0 +1,7 @@
+# sysctl parameters managed by Puppet.
+<%=
+ @values.sort.map { |k, v|
+ v = v.join(' ') if v.is_a?(Array)
+ [ k, v ].join(' = ')
+ }.join("\n")
+%>
diff --git a/modules/sysctlfile/files/50-advanced-routing-ipv6.conf
b/modules/sysctlfile/files/50-advanced-routing-ipv6.conf
deleted file mode 100644
index fc28404..0000000
--- a/modules/sysctlfile/files/50-advanced-routing-ipv6.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-#####################################################################
-#### THIS FILE IS MANAGED BY PUPPET
-#### puppet:///modules/sysctlfile/50-advanced-routing-ipv6.conf
-######################################################################
-
-# Enable router advertisements even when forwarding is enabled
-# ("all" doesn't work with accept_ra, add eth0 here as a hack)
-net.ipv6.conf.eth0.accept_ra=2
-net.ipv6.conf.default.accept_ra=2
-
-# Turn on ip forwarding
-net.ipv4.conf.all.forwarding=1
-net.ipv4.conf.default.forwarding=1
-net.ipv6.conf.all.forwarding=1
-net.ipv6.conf.default.forwarding=1
diff --git a/modules/sysctlfile/files/50-advanced-routing.conf
b/modules/sysctlfile/files/50-advanced-routing.conf
deleted file mode 100644
index f727030..0000000
--- a/modules/sysctlfile/files/50-advanced-routing.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-#####################################################################
-#### THIS FILE IS MANAGED BY PUPPET
-#### puppet:///modules/sysctlfile/50-advanced-routing.conf
-######################################################################
-
-# Turn OFF RP filter
-net.ipv4.conf.default.rp_filter=0
-net.ipv4.conf.all.rp_filter=0
-
-# Turn on ip forwarding
-net.ipv4.ip_forward=1
-net.ipv6.conf.all.forwarding=1
diff --git a/modules/sysctlfile/files/50-ipv6-disable-ra.conf
b/modules/sysctlfile/files/50-ipv6-disable-ra.conf
deleted file mode 100644
index c986bbe..0000000
--- a/modules/sysctlfile/files/50-ipv6-disable-ra.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-#####################################################################
-#### THIS FILE IS MANAGED BY PUPPET
-#### puppet:///modules/sysctlfile/60-ipv6-disable-ra.conf
-######################################################################
-
-
-# Turn off ra
-net.ipv6.conf.all.accept_ra=0
diff --git a/modules/sysctlfile/files/50-lvs.conf
b/modules/sysctlfile/files/50-lvs.conf
deleted file mode 100644
index 2a04070..0000000
--- a/modules/sysctlfile/files/50-lvs.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-#####################################################################
-#### THIS FILE IS MANAGED BY PUPPET
-#### puppet:///modules/sysctlfile/50-lvs.conf
-######################################################################
-
-# Turn OFF RP filter
-net.ipv4.conf.default.rp_filter=0
-net.ipv4.conf.all.rp_filter=0
-
-# Turn off ip forwarding for security - LVS servers sit on all subnets
-net.ipv4.ip_forward=0
-
-# disable the route cache. prone to DDoS attacks and was even removed in >=
3.6 kernels
-net.ipv4.rt_cache_rebuild_count = -1
diff --git a/modules/sysctlfile/files/50-wikimedia-base.conf
b/modules/sysctlfile/files/50-wikimedia-base.conf
deleted file mode 100644
index 02a1a59..0000000
--- a/modules/sysctlfile/files/50-wikimedia-base.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-#####################################################################
-### THIS FILE IS MANAGED BY PUPPET
-### puppet:///modules/sysctlfile/50-wikimedia-base.conf
-#####################################################################
-
-# increase TCP max buffer size
-net.core.rmem_max = 16777216
-net.core.wmem_max = 16777216
-
-# increase Linux autotuning TCP buffer limits
-# min, default, and max number of bytes to use
-net.ipv4.tcp_rmem = 4096 87380 16777216
-net.ipv4.tcp_wmem = 4096 65536 16777216
-
-# don't cache ssthresh from previous connection
-net.ipv4.tcp_no_metrics_save = 1
-# recommended to increase this for 1000 BT or higher
-net.core.netdev_max_backlog = 2500
-
-# Increase the queue size of new TCP connections
-net.core.somaxconn = 1024
-net.ipv4.tcp_max_syn_backlog = 4096
-
-# Swapping makes things too slow and should be done rarely
-# 0 = only swap in oom conditions (does not disable swap)
-vm.swappiness = 0
-
-# The default TCP keepalive time of 2H is too long
-net.ipv4.tcp_keepalive_time = 300
-net.ipv4.tcp_keepalive_intvl = 1
-net.ipv4.tcp_keepalive_probes = 2
diff --git a/modules/sysctlfile/files/60-high-bandwidth-rsync.conf
b/modules/sysctlfile/files/60-high-bandwidth-rsync.conf
deleted file mode 100644
index 9013c00..0000000
--- a/modules/sysctlfile/files/60-high-bandwidth-rsync.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-#####################################################################
-### THIS FILE IS MANAGED BY PUPPET
-### puppet:///modules/sysctlfile/60-high-bandwidth-rsync.conf
-#####################################################################
-
-
-# Sysctl settings for high bandwidth rsyncs
-
-# start reclaiming memory sooner than the default, in order to keep
-# pace with gigabit eth drivers requesting buffer allocations
-vm.min_free_kbytes = 262144
-
diff --git a/modules/sysctlfile/files/60-high-http-performance.conf
b/modules/sysctlfile/files/60-high-http-performance.conf
deleted file mode 100644
index 0528b74..0000000
--- a/modules/sysctlfile/files/60-high-http-performance.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#####################################################################
-### THIS FILE IS MANAGED BY PUPPET
-### puppet:///modules/sysctlfile/60-high-http-performance.conf
-#####################################################################
-
-
-# Sysctl settings for high-load HTTP caches
-
-# Increase the number of ephemeral ports
-net.ipv4.ip_local_port_range = 1024 65535
-
-# recommended to increase this for 1000 BT or higher
-net.core.netdev_max_backlog = 30000
-
-
-# Increase the queue size of new TCP connections
-net.core.somaxconn = 4096
-net.ipv4.tcp_max_syn_backlog = 262144
-net.ipv4.tcp_max_tw_buckets = 360000
-
-# Decrease FD usage
-net.ipv4.tcp_fin_timeout = 3
-net.ipv4.tcp_max_orphans = 262144
-net.ipv4.tcp_synack_retries = 2
-net.ipv4.tcp_syn_retries = 2
diff --git a/modules/sysctlfile/files/99-big-rmem.conf
b/modules/sysctlfile/files/99-big-rmem.conf
deleted file mode 100644
index ed4c261..0000000
--- a/modules/sysctlfile/files/99-big-rmem.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-#####################################################################
-### THIS FILE IS MANAGED BY PUPPET
-### puppet:///modules/sysctlfile/99-big-rmem.conf
-#####################################################################
-
-
-net.core.rmem_max = 536870912
-net.core.rmem_default = 4194304
-
diff --git a/modules/sysctlfile/manifests/advanced-routing-ipv6.pp
b/modules/sysctlfile/manifests/advanced-routing-ipv6.pp
deleted file mode 100644
index 1c38eb9..0000000
--- a/modules/sysctlfile/manifests/advanced-routing-ipv6.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-# sysctl values for advanced routing ipv6
-class sysctlfile::advanced-routing-ipv6($ensure="present") {
- sysctlfile {'advanced-routing-ipv6':
- source => 'puppet:///modules/sysctlfile/50-advanced-routing-ipv6.conf',
- number_prefix => '50',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
diff --git a/modules/sysctlfile/manifests/advanced-routing.pp
b/modules/sysctlfile/manifests/advanced-routing.pp
deleted file mode 100644
index ddb4f88..0000000
--- a/modules/sysctlfile/manifests/advanced-routing.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-# sysctl values for 'advanced routing'
-class sysctlfile::advanced-routing($ensure='present') {
- sysctlfile {'advanced-routing':
- source => 'puppet:///modules/sysctlfile/50-advanced-routing.conf',
- number_prefix => '50',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
diff --git a/modules/sysctlfile/manifests/high-bandwidth-rsync.pp
b/modules/sysctlfile/manifests/high-bandwidth-rsync.pp
deleted file mode 100644
index ee71f19..0000000
--- a/modules/sysctlfile/manifests/high-bandwidth-rsync.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-# sysctl values for high bandwidth rsyn
-class sysctlfile::high-bandwidth-rsync($ensure="present") {
- sysctlfile {'high-bandwidth-rsync':
- source => 'puppet:///modules/sysctlfile/60-high-bandwidth-rsync.conf',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
diff --git a/modules/sysctlfile/manifests/high-http-performance.pp
b/modules/sysctlfile/manifests/high-http-performance.pp
deleted file mode 100644
index aa9eb93..0000000
--- a/modules/sysctlfile/manifests/high-http-performance.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-# sysctl values for http high performance
-class sysctlfile::high-http-performance($ensure="present") {
- sysctlfile {'high-http-performance':
- source => 'puppet:///modules/sysctlfile/60-high-http-performance.conf',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
diff --git a/modules/sysctlfile/manifests/ipv6-disable-ra.pp
b/modules/sysctlfile/manifests/ipv6-disable-ra.pp
deleted file mode 100644
index 9a67345..0000000
--- a/modules/sysctlfile/manifests/ipv6-disable-ra.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-# sysctl values for ipv6-disable-ra
-class sysctlfile::ipv6-disable-ra($ensure="present") {
- sysctlfile {'ipv6-disable-ra':
- source => 'puppet:///modules/sysctlfile/50-ipv6-disable-ra.conf',
- number_prefix => '50',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
diff --git a/modules/sysctlfile/manifests/lvs.pp
b/modules/sysctlfile/manifests/lvs.pp
deleted file mode 100644
index 4f72112..0000000
--- a/modules/sysctlfile/manifests/lvs.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-# sysctl values for lvs
-class sysctlfile::lvs($ensure="present") {
- sysctlfile {'lvs':
- source => 'puppet:///modules/sysctlfile/50-lvs.conf',
- number_prefix => '50',
- ensure => $ensure,
- notify => Exec["/sbin/start procps"],
- }
-}
diff --git a/modules/toollabs/manifests/exec_environ.pp
b/modules/toollabs/manifests/exec_environ.pp
index ba736dc..4efb96b 100644
--- a/modules/toollabs/manifests/exec_environ.pp
+++ b/modules/toollabs/manifests/exec_environ.pp
@@ -162,8 +162,12 @@
ensure => present
}
- sysctlfile { "vm.overcommit_memory": value => 2 }
- sysctlfile { "vm.overcommit_ratio": value => 95 }
+ sysctl::parameters { 'tool labs':
+ values => {
+ 'vm.overcommit_memory' => 2,
+ 'vm.overcommit_ratio' => 95,
+ },
+ }
# TODO: quotas
}
diff --git a/modules/varnish/manifests/common.pp
b/modules/varnish/manifests/common.pp
index b8ae8d7..a76822d 100644
--- a/modules/varnish/manifests/common.pp
+++ b/modules/varnish/manifests/common.pp
@@ -2,7 +2,8 @@
require varnish::packages
# Tune kernel settings
- include sysctlfile::high-http-performance
+ # TODO: Should be moved to a role class.
+ include webserver::base
# Mount /var/lib/ganglia as tmpfs to avoid Linux flushing mlocked
# shm memory to disk
--
To view, visit https://gerrit.wikimedia.org/r/75087
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ib294b691dad8500c2e0cd39896882f8cf4f3a286
Gerrit-PatchSet: 12
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ori.livneh <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Ori.livneh <[email protected]>
Gerrit-Reviewer: Yuvipanda <[email protected]>
Gerrit-Reviewer: coren <[email protected]>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
